GDPR Could Bring Swathes of Spam Due to Whois Redundancy

The introduction of GDPR next week could see a future increase in the amount of malicious spam, due to the end of blocking malicious domains by registrar.

Speaking to Infosecurity this week, Caleb Barlow, vice president of threat intelligence at IBM Security, said that the Whois database “is the fundamental ethos of how we protect the internet and we are seeing those services get shut down” as GDPR offers the ability to protect the identity of the domain owner.

Barlow called this an “unintended consequence of this privacy law” and that the end of disclosure of who owns the domain will prevent tracking the owners.

He said: “Millions of emails come in every day and we use Whois to see who sent it and block spammers, so the message doesn’t even make it in as it is blocked at the network layer. When a new domain gets registered we look at the Whois information and name and address.”

This issue was addressed by David Redl, the new head of the US National Telecommunications and Information Administration, earlier this year. He said: “The Whois service can, and should, retain its essential character while complying with national privacy laws, including the GDPR. It is in the interests of all internet stakeholders that it does.”

In April, ICANN president and CEO Goran Marby said: “Without a moratorium on enforcement, Whois will become fragmented and we must take steps to mitigate this issue”

The ICANN statement said that a moratorium on enforcement action by data protection acts would potentially allow for the introduction of an agreed-upon accreditation model, and for the registries and registrars to implement the accreditation model in conjunction with the measures in the agreed final interim compliance model.

“A fragmented Whois would no longer employ a common framework for generic top-level domain (gTLD) registration directory services,” ICANN said. “Registries and registrars would likely implement varying levels of access to data depending on their interpretations of the law.”

Barlow explained that while a malicious registrant will not use their real name, but there will be some consistency if they register 1000 domains, so the phone number or email would be the same “and when we detect one we can flag them all as bad, and this proliferates across the internet in minutes.”

Barlow said that losing the ability to know who registered a domain will hit the efficacy of malicious domain takedowns, and this could lead to two bad scenarios: one is where the amount of spam and attacks go up and companies block everything, including those who legitimately want to keep their details private; and the second issue will be more spam carrying malicious links or ransomware.

“This gives bad guys a free reign, as most domains are malicious,” Barlow said. “We need to filter them out, and the only way is with Whois.”

He concluded by saying that the cybersecurity industry can get in front of this, and monitor new domains and their activity “as bad guys register domains anonymously and wait a few months so test it, put legit traffic on it and then flip it to be malicious.”

However, we can expect a lot of spam in a few months with no way to block it. “Ironically the new privacy law could cause further loss through cyber-attack.”